Table of Contents
Question
IT projects have gone over budget with too many security controls being added post-production. Which of the following would MOST help to ensure that relevant to a project?
A. Involving information security at each stage of project management
B. Creating a data classification framework and providing it to stakeholders
C. Identifying responsibilities during the project business case analysis
D. Providing stakeholders with minimum information security requirements
Answer
A. Involving information security at each stage of project management
Explanation
According to the ISACA website, one of the tasks under the Incident Management domain is to establish and maintain an incident response plan to ensure an effective and timely response to information security incidents. This implies that information security should be integrated into project management, so that security controls are considered and implemented throughout the project lifecycle, rather than added post-production.
One way to achieve this is to involve information security at each stage of project management. This would allow the project manager and the information security manager to work together to define the security requirements, assess the security risks, select and implement the security controls, monitor and evaluate the security performance, and review and improve the security outcomes of the project. This would also ensure that security is aligned with the business objectives, scope, budget, schedule and quality of the project.
Therefore, I think the best answer to your question is A. Involving information security at each stage of project management. This is because this option would most help to ensure that relevant security controls are integrated into a project, and avoid going over budget or compromising security. The other options are not as effective or relevant as this one. For example:
B. Creating a data classification framework and providing it to stakeholders: This option may help with identifying and protecting the sensitive data involved in the project, but it does not address the other aspects of information security, such as network, system, application or physical security. It also does not ensure that the stakeholders will follow or implement the data classification framework.
C. Identifying responsibilities during the project business case analysis: This option may help with assigning roles and accountabilities for information security in the project, but it does not address how security controls will be selected, implemented, monitored or improved throughout the project lifecycle. It also does not ensure that the responsibilities will be fulfilled or enforced.
D. Providing stakeholders with minimum information security requirements: This option may help with setting a baseline for information security in the project, but it does not address how security controls will be tailored to the specific needs, risks and context of the project. It also does not ensure that the stakeholders will comply or exceed the minimum requirements.
Reference
- Delivering large-scale IT projects on time, on budget, and on value | McKinsey
- Delivering large-scale IT projects on time, on budget, and on value (mckinsey.com)
- Why Your IT Project May Be Riskier Than You Think (hbr.org)
- 11 Examples of Security Controls – Simplicable
- Gartner Top Security and Risk Trends for 2021
- 6 Considerations for Your Company’s Cybersecurity Budget | Secureworks
- 7 Tips for Preventing Cost Overrun on Projects – ProjectManager
- What are Security Controls? | IBM
- Information security in project management according to ISO 27001 (advisera.com)
- 5 Steps for Implementing IT Security Controls – What to do, and How to do it (cipherspace.com)
- 5.8 – Information Security in Project Management | ISMS.online
- Information Security Best Practices While Managing Projects | SANS Institute
- The Importance of Project Security | project-management.com
- CISM practice questions to prep for the exam | TechTarget
Isaca Certified Information Security Manager CISM certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Isaca Certified Information Security Manager CISM exam and earn Isaca Certified Information Security Manager CISM certification.